[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Full Distro v Debian 'Stripped Down' for firewall?



On Monday, 17.01.2005 at 14:05 +0000, Robert Brockway wrote:

> >4. Configure the firewall as a 'forwarding' firewall, so that it doesn't
> >actually listen for any services of its own, with the exception of SSH
> >from a single IP on the 'GREEN' interface.
> 
> Best practice has it that no services are run on the firewall (except ssh) 
> to avoid someone being able to get in behind the firewall and bring it 
> down.  Do compare this though to the security of letting someone _through_ 
> the firewall.  If you are letting people into your internal network it is 
> just asd bad unfortunately.  A DMZ is needed for decent security but that 
> may not be viable in a home setup.  Security is about assessing risk vs 
> the effort you want to go to (or can afford).

We're doing the classic DMZ 'three-armed' network layout, nothing comes
directly into GREEN; the DMZ will house the publically-accessible
servers.

> >Possible additional measures:
> >
> >5. Fine-tune kernel for routing and firewall behaviour;
> 
> You're unlikely to stress the box enough to warrant it IMHO.  Firewalling 
> is packet evaluation and passing.  If you are loading the box so much that 
> you need to fine-tune it then getting a bigger box is a good plan.

That's a good point ... :-)

> >6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a
> >host on the GREEN network for logging.
> 
> I wouldn't send syslog information outside the network unencrypted if I 
> had a choice.  There are ways to encrypt the data once it leaves the 
> network.

Oh, yes, I agree - by GREEN I mean the local private network of course.
My use of 'outgoing' was misleading ... :-)

Thanks for your comments.

Cheers,

Dave.
-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature


Reply to: